Subject: Re: Autoblocking sites after ssh probes
To: Martin Husemann <firstname.lastname@example.org>
From: Mike M. Volokhov <email@example.com>
Date: 01/28/2005 09:30:56
On Thu, 27 Jan 2005 23:29:42 +0100
Martin Husemann <firstname.lastname@example.org> wrote:
> Now, here is the question: does anyone know of a tool to automagically recognize
> this sequence of logs that temporarily adds the coresponding block rules to
> ipf and expires them after, say, 24 hours?
> Is there anything wrong from a security point of view with this aproach?
> It's not a protection in itself, and it's just one common attack (out of
> hundreds, I guess). But maybe as an additional obstacle?
IMHO, it sould be done by ssh itself. The blocking should occurs in case
of login probes only, but ssh only knows, is this a probes or not. To
prevent possible DoS, it may contain a list of non-DoS IPs to avoid such
Another idea is block all by default and use something like port
knocking to grant access, as it was already proposed by Daniel.